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Abstract 

We compare the performance of BB84 and SARG04, the later of which was proposed by 
V. Scarani et al, in Phys. Rev. Lett. 92, 057901 (2004). Specifically, in this paper, we in- 
vestigate SARG04 with two-way classical communications and SARG04 with decoy states. In the 
first part of the paper, we show that SARG04 with two-way communications can tolerate a higher 
bit error rate (19.4% for a one-photon source and 6.56% for a two-photon source) than SARG04 
with one-way communications (10.95% for a one-photon source and 2.71% for a two-photon source). 
Also, the upper bounds on the bit error rate for SARG04 with two-way communications are com- 
puted in a closed form by considering an individual attack based on a general measurement. In the 
second part of the paper, we propose employing the idea of decoy states in SARG04 to obtain un- 
conditional security even when realistic devices are used. We compare the performance of SARG04 
with decoy states and BB84 with decoy states. We find that the optimal mean-photon number 
for SARG04 is higher than that of BB84 when the bit error rate is small. Also, we observe that 
SARG04 does not achieve a longer secure distance and a higher key generation rate than BB84, 
assuming a typical experimental parameter set. 
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I. INTRODUCTION 

Quantum key distribution (QKD) provides a way for two parties to expand a secure 
key that they initially share. The best known QKD is the BB84 protocol published by 
Bennett and Brassard in 1984 The BB84 protocol consists of two phases, the quantum 
transmission phase and the classical communication phase. In the quantum phase, one of 
the two legitimate parties, Alice, sends quantum states to the other legitimate party, Bob. 
The quantum states received by Bob are converted to classical bits by measurements. In 
the classical communication phase, both parties discuss which bits to keep or discard. They 
sacrifice some bits to test the error rate on the bit string. If the error rate is too high, they 
abort the protocol. For states that are retained, they perform bit error correction with the 
help of classical communications. After that, Alice and Bob's bit strings are the same, but 
some information on them might have leaked to a potential eavesdropper, Eve. To remove 
Eve's information, they apply privacy amplification to distill the final secret key. 

The security of BB84 was not proved until many years after its introduction. Among the 
proofs 0, 0, 0, 0| , the one by Shor and Preskill jy| is relevant to this paper. Their simple 
proof essentially converts an entanglement distillation protocol (EDP)-based QKD proposed 
by Lo and Chau 5] to the BB84 protocol. The EDP-based QKD has already been shown 
to be secure by p| and the conversion successively leads to the security of BB84. 

Security proofs of QKD protocols were further extended to explicitly accommodate the 
imperfection in practical devices [?], s| . One important imperfection is that the laser sources 
used in practice are coherent sources that occasionally emit more than one photon in each 
signal. Thus, they are not single-photon sources that the other security proofs 0, U, |f| of 
BB84 assumed. In particular, BB84 may become insecure when coherent sources with strong 
intensity are used. For instance, Eve can launch an photon-number-splitting (PNS) attack, 
in which she blocks all single-photon pulses and splits multi-photon pulses. She keeps one 
copy of each of the split pulses to herself and forwards another copy to Bob. Although [3, ls| 
showed that secure QKD is still possible even with imperfect devices, the PNS attack puts 
severe limits on the distance and the key generation rate of unconditionally secure QKD. 

A novel solution to the problem of imperfect devices in BB84 was proposed by Hwang , 
which uses extra test states-called the decoy states-to learn the properties of the channel 
and/or eavesdropping on the key-generating signal states. Our group presented an uncon- 
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ditional security proof of decoy-state QKD |HJ,lll|. By combining, the GLLP (Gottesman, 
Lo, Liikenhaus, and Preskill) |7[ result with the decoy state idea |9(, we showed that decoy 
state QKD can exhibit dramatic increase in distance and key generation rate compared to 
non-decoy protocols. Moreover, our group proposed the idea of using the vacua or very weak 
coherent states as decoy states jllj]. Subsequently practical protocols for QKD using a few 
decoy states were analyzed by Wang [3, [ill , by our group , and by Harrington [3] , 
thereby making the decoy idea more practical. The first experimental implementation of 
a QKD using one decoy state was demonstrated by our group Q]. Also, a decoy method 
using two-way classical communications was proposed by our group jl7|. 

Another attempt to combat PNS attacks was by Scarani et al. |l8( , who introduced a new 
protocol, called SARG04, which is very similar to the BB84 protocol. The quantum state 
transmission phase and the measurement phase of SARG04 are the same as that of BB84, as 
both use the same four quantum states and the same experimental measurement. The only 
difference between the two protocols is the classical post-processing phase. Interestingly, 
with only a change in the post-processing phase, the protocol becomes secure even when 
Alice emits two photons, a situation under which BB84 is insecure. This was proved by two 
of us Q|, who also proved the security of SARG04 with a single-photon source. Specifically, 
we provided lower bounds of the bit error rate when one-way classical communications are 
used in the error correction and privacy amplification phases. We also proposed a modified 



SARG04 protocol that uses the same six states as the original six-state protocol |20t 21 1. 
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The security of SARG04 with a single-photon source was also proved by Branciard et al 
They considered SARG04 implemented with single-photon sources and with realistic sources. 
For the single-photon-source case, they provided upper and lower bounds of the bit error 
rate with one-way classical communications. For the realistic-source case, they considered 
only incoherent attack by Eve and showed that SARG04 can achieve a higher secret key 
rate and a greater secure distance than BB84. The SARG04 protocol was generalized by 



Koashi 



23j to the case of N quantum states. Another protocol that is similar to SARG04 



is the B92 protocol [24|, which uses two nonorthogonal quantum states. The security of 
B92 with a single-photon source was proved by Tamaki et al. 0, Q] On the other hand, 
Koashi 2^] proposed an implementation of B92 with strong phase-reference coherent light 
that was proved secure. 

The fact that a modification to the classical communication part (from BB84 to SARG04) 
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changes the foundation of security, i.e. making two-photon signals secure, is interesting. Note 
that since the difference between BB84 and SARG04 is only in the classical data processing 
part, it is not difficult to perform SARG04 once the experiment of BB84 is available. Thus, it 
is important to investigate the performance of SARG04 in order to determine which protocol 
one should perform. This is our main motivation. 

In this paper, we make an endeavour to study this interesting SARG04 protocol, but in 
different situations than that considered in 2^] and 2^|, and thus complementing their 
results. Specifically, we provide upper and lower bounds of the bit error rate with two-way 
classical communications for single-photon sources and for two-photon sources. Also, we 
consider implementations with realistic devices using decoy states with one-way classical 
communications. Here, we allow the most general attack by Eve and study the key rate 
and distance properties of SARG04 in comparison with BB84. Interestingly, under our 
most general attack assumption which was not considered in 2^|, we observe a different 



phenomenon than 



22j, that SARG04 has a lower key rate and a shorter secure distance 



than BB84. However, our result shows that SARG04 is interestingly different from BB84 in 
one aspect in the realistic setting. It is that the optimal mean photon number for SARG04 
is higher than that for BB84, when the detector error probability is low. This is because 
when the bit error rate gets smaller, the two-photon contribution to the key generation rate 
gets higher. 

This paper makes use of two important existing techniques: QKD with two-way classical 
communications and the decoy-state method. QKD with two-way communications in the 
error correction and privacy amplification phases was first proposed by Gottesman and 
Lo [28f as a method to achieve a higher tolerable bit error rate; this method was later 

n 

improved by Chau 29J to further increase the tolerable bit error rate of a six-state scheme. 
The essence of QKD with two-way communications is that, by allowing Alice and Bob to 
communicate with each other, the qubits transmitted by Alice to Bob can be separated 
into two groups, one with a higher bit error rate than the other. Thus, through two- 
way communications, they can discard the group with the higher bit error rate and retain 
the other group for further bit error correction and privacy amplification. Intuitively, a 
QKD utilizing two-way communications should be superior to the case when only one-way 
communications are used. This was shown to be true for BB84 in 



Here, we will 

show that this is also true for SARG04 for both single- and two-photon parts. Especially 
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TABLE I: Summary of results for SARG04. The numbers marked with < are the results of this 
paper. The bounds on the secure distance are specific for the experimental parameters from the 



Gobby- Yuan-Shields (GYS) experiment 30]. 



Upper bound 
Lower bound 



Bit error rate of SARG04 with single-photon source 

one-way 
14.9% [22] 

9.68% [19, 22] and 10.95% (with preprocessing) [22] 



two-way 
l/3t 



19.c 



;t 



Upper bound 
Lower bound 



Bit error rate of SARG04 with two-photon source 
one-way 

N/A 
2.71% [12] 



two-way 
22.56% t 



6.1 



;t 



Upper bound 
Lower bound 



Secure distance using decoy states with realistic source 

BB84 

207.7 km [10] 

141.8 km [1Q] 



SARG04 
207.7 W 
97.2 W 



for single-photon SARG04, we show that the lower bound with two-way communications 
is higher than the upper bound with one-way communications provided in j^]. When we 
analyze the security of SARG04 with realistic devices, we will use the decoy-state method 
of (lfj in order to achieve a long secure distance. 

We have tabulated the results of this paper on bounds of bit error rate and secure distance, 
along with known results, in TableO The six numbers on the right column are results of 
this paper, while existing results are cited on the left column. The bounds on the secure 
distance listed are specific for the experimental parameters from the Gobby- Yuan-Shields 
(GYS) experiment 30]. 

The organization of the paper is as follows: We first review some existing techniques for 
the security proof in Sectioning which provide a basis for the development of the results of this 
paper. In Section ITH{ we summarize the assumptions we make in this paper. In Section ITV| 
we develop a SARG04 protocol with two-way classical communications with one- and two- 
photon sources. In Section we consider SARG04 in a realistic setting, where imperfect 
laser sources and detectors are used. Finally, concluding remarks are provided in Section IVTl 
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We note that an independent work on SARG04 with decoy states was also studied in 



II. PRELIMINARIES 

In this section, we review some bases for the security proof in this paper. First, we 
briefly review an entanglement distillation protocol (EDP) and its relation with the security 
of QKD, where we especially review the security proof of BB84 by Shor and Preskill p. 
Secondly, we explain how SARG04 works, and we construct an EDP protocol that is equiv- 
alent to SARG04 protocol. We furthermore mention the property of the density matrix in 
the EDP protocol for the later convenience. Thirdly, we explain the key generation rate 
for BB84 and SARG04, assuming realistic devices and one-way classical communications. 
Next, we describe the decoy method in BB84 and SARG04. Finally, we review QKD with 
two-way classical communications. 

A. EDP and its relation with QKD 

1. EDP 

The goal of an entanglement distillation protocol (EDP) is to distill nearly perfect EPR 
pairs from noisy EPR pairs initially shared between two distant parties, Alice and Bob. Any 
bipartite density matrix describing Alice and Bob's qubit system, p, can be expressed in the 
Bell basis, which is composed of the four orthogonal Bell states: 

|$ ± ) = (|00)±|ll))/v / 2 

(1) 

|^> = (|01> =b |10>)/V2. 
Taking |<3> + ) as the reference state, the diagonal of p in the Bell basis 

Pl = ($+|p|$+) 
Px ±(Q-\p\Q-) 

(2) 

p z ± (* + |p|* + ) 
p Y = (^~\ p \^~) 

represent the probabilities of applying, respectively, the Pauli J, X, Z, and Y operators 
to the either one of the qubits of the bipartite system. In the view of an EDP, a pool of 
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|$ + ) j4B state is prepared by Alice. She keeps system A of every pair and sends system 
B of every pair to Bob. Due to the presence of noise in the quantum channel, system B 
may undergo bit and/or phase flip errors and the probabilities of the various types of errors 
are represented by pi (no error), p x (bit flip error), p z (phase flip error), and py (bit and 
phase flip error). In the paper by Bennett, DiVincenzo, Smolin, and Wootters (BDSW) j^, 
they assume that all of the pairs are described by the same density matrix, and the job of 
an EDP is to correct the errors using only local operations and classical communications 
(LOCCs), leaving Alice and Bob with a pool of \§ + ) AB states. Several methods of EDP's 
were proposed in BDSW including the hashing method and the recurrence method. 
Many of these methods assume that the initial density matrix p is Bell-diagonal. 



2. EDP-based QKD protocol 

EDP's are closely related to QKD protocols. The connection between them is that if 
Alice and Bob share almost perfect EPR pairs that are pure, then the pairs are almost 
unentangled with Eve's system. Thus, the information leaked to Eve is negligible, and they 
can obtain an unconditionally secure key by measuring the EPR pairs. Thus, the purpose 
of a QKD protocol can be viewed as a procedure for Alice and Bob to share almost perfect 
EPR pairs, which is the purpose of an EDP. In order to run an EDP, they need to know 
the error rates on the noisy EPR pairs and the job of the error rate estimation is the first 
part of a QKD protocol. After the error rates are upper bounded, the second part of the 
QKD involves running an EDP to distill almost perfect EPR pairs. In essence, a QKD can 
be regarded as consisting of an error rate estimation part and an EDP part. Note that the 
eavesdropping attack by Eve who has read/write access to the quantum channel appears to 
Alice and Bob as noise of the channel. 

An EDP-based QKD using quantum computers was proposed by [fj] and a modified 
version of it jfj (shown in Fig. is as follows: Alice prepares N EPR pairs 1^)^.^. = 
(|0 2 ) A |0 2 ) B . + ll*)^. \1z)b i)/V2, for % E [1,N]. She randomly chooses whether to apply a 
Hadamard gate H on system B (i.e. ki — 0,1) before sending it to Bob through Eve. Eve 
may perform the most general attack on all Bob's qubits. Bob randomly chooses whether to 
apply the Hadamard. They discard the EPR pairs to which Alice and Bob apply different 
operations. Alice and Bob choose some of the EPR pairs as test qubits. They measure the 
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A N B N 



FIG. 1: An EDP version of the BB84 protocol. Shor and Preskill |y] showed that it can be 
reduced to BB84. Note that only the EPR pairs to which Alice and Bob apply the same rotations 
are shown; EPR pairs with different rotations are discarded. 

test qubits in the Z basis and compare the measurement results publicly to estimate the 
bit error rate of the test qubits. The random sampling theorem then asserts that the rest 
of the untested qubits (code bits) have asymptotically the same bit error rates as the test 
bits with high probability. Since the bit errors and the phase errors are symmetrized by the 
random Hadamard gate on Bob's qubits, the phase error rate on code bits is asymptotically 
equal to the bit error rate on code bits, i.e. for BB84 



(3) 



Once Alice and Bob know the good estimates the error rates, they can each obtain the bit 
and phase error syndromes using quantum computers. Alice then sends her syndromes to 
Bob who will then correct his qubits by applying Z and X operations so that his syndromes 
match Alice's syndromes. After the successful distillation, they now share EPR pairs that 
have high fidelity with the pure state (where M is the number of the EPR pairs 

Alice and Bob share). They each measure their halves of the pair in the Z basis to produce 
a common secure key on which Eve has negligible information. 

We can associate the four probabilities Pi,Px,Pz,Py with two (dependent) binary random 
variables, X and Z, which represent the bit and phase errors, respectively. With this 
notation, the uncertainty in the bit flip error is H(X) = H^^px + Py) arid in the phase flip 
error is H(Z) = H^ipz + Py), where -f^Cp) = ~~P^og 2 {p) — (1 — p) log 2 (l — p) is the binary 
entropy function. The mutual information between the bit and phase errors is I(X; Z) = 
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H(X) -H(X\Z). 

The key generation rate of the EDP-based QKD using one-way classical communications 
is |32l 



R = 1 - H(X, Z) 



1-H(X) -H{Z\X). 



(4) 
(5) 



The second term in the last equation is concerned with the number of rounds of random 
hashing for determining the bit error patterns, and the third term is concerned with the 
number of rounds of random hashing for determining the phase error patterns given that 
the bit error patterns are known. One drawback with the EDP-based QKD is that it requires 
the preparation of EPR pairs and the use of quantum memory and computers, which are 
challenging to implement in practice in the near future. Thus, it is more desirable to use 
prepare-and-measure QKD protocols, in which Alice only needs to prepare qubits and send 
them to Bob, and Bob only needs to measure them immediately after receiving them; no 
quantum memory and quantum computers are needed. 

3. BB84 protocol 

In Shor and Preskill's proof Q], they showed that the EDP-based QKD can be reduced to 
BB84, a prepare-and-measure protocol that does not require the use of quantum computers. 
Their proof relies on the use of CSS codes to decouple the bit error correction and the 
phase error correction. They showed that phase error correction is not necessary; as long 
as phase error correction could have been performed, the protocol is secure. Thus, the phase 
error correction step with quantum decoding is replaced by a privacy amplification step 
where classical bits of the raw key are XOR'ed to form the final key. Since the phase 
error correction step is removed, Bob's final Z measurement in the EDP-based QKD can be 
moved to before the bit error correction step. Here, note that all of the hashing for the bit 
error correction is in the Z basis, which commutes with Bob's final Z measurements. Only 
one-way communications are needed in the bit error correction step in Shor-Preskill's proof. 
This is because Alice and Bob both compute the bit error syndromes but only Alice sends 
her syndromes to Bob. Bob then applies the appropriate bit-flip operations on his bit string 
so as to match his syndromes with Alice's syndromes. Using Eq. (j3J), the key generation 
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rate of the BB84 protocol resulting from the use of CSS codes is 



R = 1 - H(X) - (H(Z) - I(Z; X)) 



l-H 2 (e b )-H 2 (e p ) + I(Z;X) 



(6) 
(7) 



where e& = px + Py is the bit error rate and e p = pz + Py is the phase error rate. The bit 
error rate e& is estimated in BB84 through public communications between Alice and Bob. 
It is important to note that the phase error rate e p can be estimated from e& using Eq. (jSJ). 
The mutual information term in Eq. (JJJ) can be determined by px, Py, Pz- However, only 
Gb = Px + Py and e p = pz + Py are known and py is not known. Thus, we consider the 
worst-case value of py (which corresponds to having no mutual information between bit 
and phase errors) to find the worst-case value of the key generation rate. In the worst-case 
scenario, the highest tolerable bit error rate can be found by solving 1 = 2H 2 (eb). This gives 
eb = 11.0% jfj], at which the key generation rate is zero. 

B. The SARG04 protocol 

In this paper, we consider the SARG04 protocol Q], which is a prepare-and- measure 
protocol. In fact, the quantum phase of SARG04 is the same as that of BB84; so it can 
easily be seen that SARG04 is a prepare-and-measure protocol as BB84 is. 

Let us explain how SARG04 works. In SARG04 there are four quantum states, \<pj) , i = 



where a = sin(vr/8), (3 = cos(vr/8), and R = cos(n/A)I + sm(n/4)(\l x ) (0 X \ - \0 X ) (l x \) is 
a tt/2 rotation around the Y basis. Note that \ipo) and |</9 2 ) are orthonormal, and thus 
form a basis. The same can be said for \tpx) and ^3). The four states are divided into 
four sets, {R K \ip ) , R K \<px)}, K £ [0, 3], in which one represents logic and the other logic 
1. The steps for the SARG04 protocol with a i/-photon source {v = 1,2) and one-way 
communications are as follows: 

1. Alice sends a sequence of N signals to Bob. For each signal, Alice randomly chooses 
one of the four sets and sends one of the two states in the set to Bob. 



0,...,3: 



\<Po) =P\0x) + a\l x ) 



(8) 



ip m ) = R m \<p ) , m = 0, . . . ,3, 
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FIG. 2: An EDP version of the SARG04 protocol. Alice prepares an entangled states I'l')^ = 

)b)/ where v — 1, 2 corresponds to the number of photons emitted by 
Alice. She applies a random rotation on system B before sending it to Bob through Eve. In the 
case of v = 2, Eve retains one qubit of system B and sends the other to Bob. Although, only one 
entangled state is shown for simplicity, one should be reminded that Eve may perform the most 
general attack on the ./V entangled states as in Fig Q 

2. For each signal, Bob performs the polarization measurement using one of the two bases 
randomly. If his detector fails to click, then he broadcasts this fact, and Alice and 
Bob discard all the corresponding data. 

3. For each signal, Alice publicly announces the choice of the set from which the state 
was selected. 

4. For each signal, Bob compares his measurement outcome to the two states in the set. 
If his measurement outcome is orthogonal to one of the states in the set, then he 
concludes that the other state has been sent, which is a conclusive result. On the 
other hand, if his measurement outcome is not orthogonal to either of the states in 
the set, he concludes that it is an inconclusive result. He broadcasts if he got the 
conclusive result or not for each signal. 

5. Alice randomly chooses some bits as test bits and announces their locations. Bob 
estimates the bit error rate e v from the test bits by taking the ratio of the number of 
incorrect conclusive test bits to the total number of conclusive test bits. If e u is too 
high, they abort the protocol. 

6. Alice and Bob retain only the conclusive untested bits. 

7. They perform bit error correction and privacy amplification on the remaining bit string. 
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We construct an EDP version of the SARG04 protocol, which is shown in Fig. 121 The 
EDP version lends itself to an easy extension with two-way classical communications and 
also a simplified analysis on the bounds on the bit error rates, both of which will be studied 
in detail later in this paper. We consider Alice having a z/-photon source, v — 1,2. For each 
signal, she first prepares an entangled state (lOz)^ \<$% V ) B + \ t ff V ) b) I ^ anc ^ randomly 
applies a rotation (R K )® V to system B which is then sent to Bob through Eve. Eve applies 
the most general attack on all the N signals jointly. We assume that Eve always sends 
a qubit state or a vacuum state to Bob, which is related to the assumption we describe 
in Section IIHI Bob, upon receiving the qubit, performs the inverse rotation R~ K ' and a 
filtering operation whose successful operation is described by the Kraus operator as F = 
sin 1 1 OA p (O- T- l + cos 1 \1 x )b (lx|- Here, the successful filtering corresponds to a conclusive 
result |2jj |2q in the prepare-and-measure SARG04 protocol. Alice and Bob then publicly 
exchange K and K 1 and keep the pairs with K = K'. They randomly choose some states (test 
bits) and perform Z measurements on the states. Then, they compare their measurement 
outcome publicly in order to estimate the bit error rate on the remaining pairs (code bits). 
This gives us a good estimation of the bit error rate on code bits thanks to the random 
sampling theorem. On the other hand, the phase error rate on the code bits is estimated 
from the bit error rate on the code bits by the theorem below. After the estimation, they 
choose a CSS code that is sufficient to correct all the bit and phase errors. After the error 
correction, they share maximally entangled states from which they perform Z measurements 
to obtain a secure key. It is important to note that the phase error rate of the code bits can 
be estimated from the bit error rate. Thanks to this estimation, Alice and Bob do not need 
to perform test bit in X measurement, thus we can equivalently convert our EDP protocol 
to the prepare-and-measure protocol by the Shor-Preskill's arguments. 

Theorem 1 (Density matrix of one-photon SARG04). For the one-photon case, the 
diagonal elements of the density matrix of the EPR pair shared between Alice and Bob in 
the Bell basis is 

Px = e b -a 
3 

Pz = lfb-a (9) 
Py = a, 

where e b is the bit error rate, and eft/2 < a < e b - 
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Proof. See Appendix El □ 

There are two differences between this density matrix and that for BB84: (i) there is a 
factor of | in pz (whereas the factor is one in BB84), and (ii) a is no smaller than eft/2 
(whereas a can be as small as zero in BB84). Such a restriction in a gives rise to mutual 
information between bit and phase errors (see also Q]). This is because for bit and phase 
errors to be independent (i.e. no mutual information), py = a has be to equal to |e^. 
But, this is outside the range e b /2 < a < e b for e b < | which is the case of interest. 
The lower bound on the bit error rate for the one-photon case can be found by sol ving 
= 1- H 2 (e b ) - H 2 (3e b /2) + I(X- Z), which gives e b = 9.68% Q Q Note that I22H 
provided a better bound of e b = 10.95% with data preprocessing. 

Theorem 2 (Density matrix of two-photon SARG04). For the two-photon case, the 
diagonal elements of the worst case density matrix is 

Px = e b - a 

Pz < xe b + g(x) — a, Vx (10) 
p Y = a, 



where g(x) = |(3 — 2x + a/6 — 6y/2x + 4x 2 ) and < a < e b . 

Proof. See Appendix El □ 

In this case, a is allowed to be zero. Thus, the lower bound on the bit error rate for 
the two-photon case can be found by minimizing Eq. ((7|) over a, which leads to having 
no mutual information between bit and phase errors (i.e. I(X;Z) = 0). Solving = 
1 - H 2 (e b ) - H 2 (mm x xe b + g(x)) gives e b = 2.71% 0. 



C. Privacy amplification for multi-photon signals 

In real-life implementation, a weak laser pulse is often used to simulate a single-photon 
source. However, since it actually emits weak coherent states, the laser outputs contain 
some multi-photon states in addition to the desired single-photon states. The phases of 
the coherent pulses are assumed to be randomized in a traditional laser source. Because of 
this, the coherent states of the laser output reduce to classical mixtures of photon-number 
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states with a Poisson distribution. One important idea from GLLP |2J is that the amount of 
privacy amplification needed when multi-photon signals are present is the same as if only the 
key-generating signals are present. To illustrate the idea, let us consider the key-generation 
rate for BB84. For BB84, the final key can only be generated by using the single-photon 
states. If Alice and Bob knew the locations of the single-photon states, they could discard 
all other multi-photon states and apply error correction and privacy amplification only to 
the single-photon states. In this case, they could achieve a rate of 

i?BB84 = -Qif{e 1 )H 2 {e 1 ) + Qi[l - H 2 ( ei )\, (11) 

where e n is the bit error rate of the n-photon signal states, Q n is the gain 1 of the n-photon 
signal state, and f(x) is the error correction efficiency as a function of error rate. The first 
term is concerned with number of rounds of random hashing for determining the bit error 
patterns and the H 2 {ei) in the second term is concerned with the privacy amplification. 
Note that the bit error rate e\ is used for the privacy amplification term because of Eq. (JHJ). 
For BB84, Bob's result is conclusive when Bob obtains bit value by the same measurement 
basis as the one that Alice has chosen. 

Note that the above rate is achieved only when Alice and Bob know the locations of 
the single-photon states, which is not the case that Bob uses a threshold detector. One 
method to achieve unconditional security without Alice and Bob knowing the locations of 
the single-photon states was proposed by j^j • The idea is that privacy amplification applied 
to all bit string is equivalent to that applied only to the bit string stemmed from the single- 
photon states as if the locations of them are known. To show this, we consider the bit 
value produced by k\ ■ V\ ® ku • Vm, where k\ and ku are the bit string stemmed from the 
single- and multi-photon states after bit error correction, and V\ and Vm are random strings 
in a hash function having the same lengths as k\ and ku respectively. The first term of 
k\ ■ V\ © kM • Vm corresponds to privacy amplification applied to single-photon states only, 
while the second term is some bit (possibly known to Eve). Since the first term is private to 
Alice and Bob, even if the second term is completely known to Eve, the sum is still private 
to Alice and Bob. With this idea, the key generation rate can be improved by considering 

1 The gain of a particular type is the probability that the transmitted signal of that type is sent by Alice 
and Bob gets a conclusive result. 
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privacy amplification applied only to single-photon states: 



-QJiE^H^) +Q 1 [1- H 2 ( ei ] 



(12) 



In this paper, we consider SARG04 which is secure with single-photon and two-photon states. 
In this case, the key generation rate is 



3 



R 



SAHG04 



-Q fl f(E^)H 2 (E^) + Qi[l - + Q 2 [l - H(Z 2 \X 2 



(13) 



where the Z n (X n ) is a random variable corresponding to the phase (bit) error for the n- 
photon state. The first term is the fraction of EPR pairs spent for error correction, the second 
term is the contribution to the key rate from the single-photon states, and the third term is 
the contribution from the two-photon states. Note that the mutual information between the 
bit and phase errors is included. According to Theorem the mutual information between 
X 2 and Z 2 can be zero, meaning H(Z 2 \X 2 ) = H(Z 2 ). 

In Eq. (|12|) and Eq. (|13|). the overall gain and the overall bit error rate are 
parameters that Alice and Bob can estimate through public communications. On the other 
hand, the gain Q\ (and Q 2 for SARG04), and the bit error rate for the single-photon states 
e\ (and e 2 for SARG04) cannot be directly estimated. One way to estimate e\ and Qi (and 
e 2 and Q 2 ) is to consider the worst situation for Alice and Bob. For instance, in BB84, we 
can pessimistically assume that all the errors happen only in the single-photon detection 
events, leading to e l = E^Q^/Qx and Qi = CL- Pmuiti/2, where p mu iti is the probability of 
Alice emitting multiple-photon states (see |l0||). However, this gives a low key generation 
rate and a short secure distance. Another way to estimate e n and Q n is to use the decoy- 
state method in Q], which we explain next. Using this method, the key generation rate 
and the secure distance can be greatly increased. 



D. Decoy-state method 

n the security analysis with decoy states, we assume using the infinite-decoy-state method 
of Q for the simplicity of analyses. Let us first define the yield Y n , the bit error rate e n , 
the gain Q n . The yield, Y n , is defined as the probability that Bob's measurement outcome 
is conclusive conditional on Alice's n-photon emission: 

Y n = PrjBob's result is conclusive | Alice sent n-photon state}. (14) 
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The yield is basically a sum of the probabilities of the error events and the error-free events. 
The fraction of the error-event probability is the bit error rate e n : 

e n = Pr{ Bob's result is incorrect | 

Bob's result is conclusive A Alice sent n-photon state}. (15) 

The gain of the n-photon state is 

Q n — PrjBob's result is conclusive A Alice sent n-photon state} (16) 

= Y n e-y n /n\. (17) 

The key of the decoy method is to consider the two equations for the overall gain and 
the overall bit error rate E^. The overall gain is the weighted average of the yields of all 
n-photon states: 

= Y e~v + Y ie ~y + ■■■ + Y n e-»(i2 n /n\) + ■■■ . (18) 
The overall QBER is the weight average of the errors of all n-photon states: 

E, = — ^y n e-"(/i7n!)e n (19) 

^ n=0 

The main point of the method is to vary the laser intensity \x over all non-negative values 
randomly. Each value of /x is associated with one equation for and one for E^. Thus, by 
varying /i, we have a set of linear equations of Y n and e n , which can then be solved. The 
states that are used for the determination of Y n and e n with the different /i's are the decoy 
states, which will not be used to generate the final key. Another set of states, the signal 
states, will be used for key generation and are outputs from one laser intensity only. To 
make sure that Y n and e n estimated from the decoy states are good estimates of Y n and e n 
for the signal states, we randomize the locations of both states so that Eve can only act 
equally on them. Once we have good estimates of Y n (thus, Q n ) and e n , we can determine 
the achievable key-generation rate by using Eq. ()12j) for BB84 and Eq. (JT3j) for SARG04. 
For SARG04, we use the relations between the phase and bit error rates in Eq. © and 
Eq. (110(1 to determine the phase error rates from the bit error rates. 

For BB84, the expected values for the yields and the bit error rates without any eaves- 
dropping are [3| 

^n,BB84 = [Vn + (1 - Vn)Pdark]/2 (20) 
Cji,BB84 = {Vn ^ ^~ (1 ? 7n)PcZarfc^)/^ / n,BB84; (21) 
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where r] n , pdark, and e detector are transmission efficiency for an n- photon signal, the probability 
that the detector clicks when the input is a vacuum state, and a parameter representing the 
misalignment in the detector, respectively. The presence of any eavesdropping would deviate 
the actual values of them and thus would be caught by Alice and Bob. For SARG04, we 
will derive similar formulas for Y n and e n later in this paper, and also we will describe the 
SARG04 protocol with decoy states. 

E. QKD with two-way classical communications 

In Shor-Preskill's proof, they showed that applying the bit and phase error corrections 
with CSS code followed by Z measurements to a pool of noisy EPR pairs is equivalent 
to applying the Z measurement followed by bit error correction and privacy amplification. 
This order swapping is applicable to any pool of noisy EPR pairs characterized by some 
{Px,Py,Pz)- Imagine that, before the bit and phase error corrections and the final Z mea- 
surements , we insert an extra operation on the EPR pairs that changes the pairs to have 
some other characteristics (p' x ,p' Y ,p' z ). One reason that we want to insert such an extra 
operation is to increase the highest tolerable bit error rate of a QKD protocol. Since, af- 
ter this extra operation, we are also left with a pool of noisy EPR pairs, we can invoke 
the Shor-Preskill's argument to move the final Z measurements to before the bit and phase 
error correction steps. However, this is not (yet) a prepare-and-measure protocol since Shor- 
Preskill's proof only brings the Z measurements to after the extra operation. If this extra 
operation commutes with the Z measurements, then we can swap their order and turn it 
into a prepare-and-measure protocol. 

A specific operation for this extra operation was considered by Gottesman and Lo 
Their operation commutes with the Z measurements (so is compatible with prepare-and- 
measure protocols) and is composed of a sequence of steps applied to the EPR pairs. There 
are two types of steps, a B step and a P step. As the names imply, a B step (P step) 
is meant to improve the bit (phase) error rate of the EPR pairs. A B step requires two- 
way classical communications for exchanging information between Alice and Bob. Hence, 
prepare-and-measure protocols derived from using this technique requires two-way classical 
communicat ions . 

I — I 

Definition 1 (B step [28]). A B step, shown in Fig. El consists of Alice and Bob together 
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FIG. 3: B step: Alice performs a bilateral XOR on her halves of two EPR pairs (the circuit of 
which is depicted) and Bob performs the same on his halves of the EPR pairs. They measure the 
target qubits in the Z basis. If their measurement results are same, they keep the source EPR pair 
and discard the target; otherwise, they discard both EPR pairs. 

performing a bilateral XOR on two EPR pairs randomly chosen and comparing their Z 
measurement results of the target pair. If their results are the same, they keep the source 
EPR pair and discard the target EPR pair. If they are different, they discard both pairs. 
When the two EPR pairs initially have no bit error or both have a bit error, the measurement 
results will be the same. When only one of the two pairs has a bit error, the measurement 
results will be different. The bilateral XOR is equivalent to two measurements of Z ® Z, 
one by Alice and one by Bob. Thus, a B step commutes with the final Z measurements 
in a prepare-and-measure protocol. Suppose that initially the EPR pairs are in the state 
(Px,Py,Pz), applying a B step to every pair of EPR pairs leads to a smaller set of surviving 
pairs with a new state (PxiPyiP'z) 

Px = (Px+pD/Ps (22) 

p' Y = 2p x p Y /ps (23) 

p' z = 2(1 - p x - Py - Pz)pz/Ps (24) 

p s = 1 - 2(p x +Py)(1 ~Px ~Py), (25) 

where ps is the probability that a source EPR pair survives the step. Note that half of the 
EPR pairs are target pairs and are always discarded after a B step. 

Definition 2 (P step A P step, shown in Fig. HJ operates on three EPR pairs 

randomly chosen, one target and two source pairs. Alice and Bob perform a bilateral XOR 
on the target and a source pairs and then perform a second bilateral XOR on the target and 
the second source pairs. The phase error syndrome is the X measurements of the two source 
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A 2 
A 3 

FIG. 4: P step: Alice adds (module 2) her halves of three EPR pairs (the circuit of which is 
depicted) and Bob performs the same on his halves of the EPR pairs. They keep the target EPR 
pair and discard the other two. The X measurements of the two source pairs do not need to be 
performed in a prepare-and-measure QKD. 

pairs, which is not needed in a prepare-and-measure QKD. The target pair is kept for the 
next step. The P step requires no communications between Alice and Bob and is really a 
classical circuit. So, the P step commutes with the final Z measurements of a QKD. If the 
Z measurements is performed before the P step, the P step is equivalent to XOR'ing three 
bits to generate one bit. Suppose that initially the EPR pairs are in the state (px,Py,Pz), 
a P step leads to a new state 

Px = 3p 2 i(Px +Py) + GpiPxPz + "iPxPr + Px (26) 

p' Y = QpiPvPz + 3px(p Y + Pz) + 3p Y Pz + Py ( 27 ) 

Pz = 3pi(p Y + Pz) + QPxPyPz + 3pyp z + p\ (28) 

Pi = 1 - px ~ Py - Pz, (29) 

where pi is the initial probability of no error. Note that only one-third of the EPR pairs 
remain after a P step. 

The reduction from a EDP with B and P steps to BB84 is possible because these steps sat- 
isfy the "no-branching (in X operators) requirement" in Gottesman-Lo's paper j^ . Specif- 
ically, the decision of which EPR pairs to discard and which to retain only depends on the 
outcomes of Z measurements, but not on the outcomes of X measurements. For BB84, 
Go tt „ Md Lo showed that a _ of fl ve B Steps , toHowed b y six P S te pS , can 
give rise to a tolerable bit error rate of 18.9%. Since py cannot be estimated in BB84, it 
is necessary to consider the worst-case value of py when determining the tolerable bit error 
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rate. They showed that py = is the worst case for any sequence starting with a B step. 
In this paper, we consider finding the highest tolerable bit error rate for SARG04 using 
Gottesman and Lo's technique. We also prove the worst-case value of py for SARG04. 



III. ASSUMPTIONS ON THE DEVICES 

In this section, we describe some assumptions we make in this paper. 
First, note that Bob sometimes has a double click where he cannot determine the mea- 
surement outcome. This happens because of the dark counts or detecting multi-photon. In 

nn 

this case, we impose Bob to take one of the bit values randomly [3, |q|. Thus, we can re- 
gard his measurement outcome as always stemmingfrom the measurement on a qubit state. 
This operation is so-called "squash operation" in |7[, which is a operation mapping from a 
multi-photon state to a qubit state. Furthermore, we assume the measurement such that it 
can be represented by the squash operation followed by a proper operations in a protocol. 
For instance, Bob's measurement can be described by the squash operation followed by the 
rotations, the filtering operation and Z basis measurement in SARG04 protocol. We assume 
this model based on the squash operation in the whole paper. 

In Section we will consider five types of imperfections in realistic QKD set-ups: (i) the 
source is a laser source that generates a Poisson distribution of photon number state, (ii) 
there is loss in the optical fiber, (iii) Bob's detector is not completely efficient in declaring a 
detection event, (iv) Bob's detector may generate a false detection when there is no input, 
and (v) there is misalignment in Bob's detector. 

Assuming the phase randomization, the single-mode laser source emits a pulse that is a 
classical mixtures of the photon number states with a Poisson distribution: 

oo 



££r M io<<i, ( 3 °) 



i=0 

where /x is the mean photon number. 

We quantify the loss in the optical fiber by the probability that an input photon is lost 
at the end of the transmission. Let a in dB/km be the loss coefficient of the optical fiber 
and I be the fiber length in km. The probability that the input photon is not lost is equal 
to lCTio. 

It is the case that Bob's detector fails to indicate the presence of an input photon. The 

20 



effect is similar to the transmission loss. The probability that Bob's detector detects the 
presence of an input photon is defined as Bob's detection efficiency r\ Boh . 

Combining the loss in the quantum channel and the inefficiency of Bob's detector, we 
have the overall transmission efficiency, 77. It is the probability that a photon is detected 
given that one has been sent, which is given by 

rj = 10-fS . VBob (31) 

When the input signal contains more than one photons, the signal is detected if at least one 
photon is detected. Thus, the transmission efficiency for an n-photon signal is 

Vn = 1-(1- V ) n . (32) 

When there is no input to Bob's detector, there is a possibility that it generates a detection 
event. This is due to the intrinsic detector's dark counts, the background spray, and the 
leakage from timing signals. We denote the probability of this false detection event as Pdark- 

We model the misalignment of the detectors by a rotation in the bases of Bob's projection 
measurements. We will calculate the probabilities of inconclusive, correct, and incorrect 
results specifically for SARG04 using this model in Section IVl 

IV. SARG04 WITH ONE- AND TWO-PHOTON SOURCES 

In this section, we derive the lower and upper bounds of the tolerable bit error rates for 
SARG04 with two-way classical communications, where we consider using perfect one- and 
two-photon sources. 

A. Lower bounds with two-way communications 

To determine the highest tolerable bit error rate, we would like to search for the sequence 
of B steps and P steps (introduced in Section Hi EJ) that, when followed by the one-way EDP 
with random CSS to correct bit and phase errors, gives a positive key generate rate for the bit 
error rate in question. The sequence of B and P steps renders the initial state (pi, px,PY, Pz) 
to another state (p'j , p' x , p' Y , p' z ) , which is then passed to the one-way protocol for producing 
almost perfect EPR pairs. The key generation rate, based on the CSS protocol, is 

R = 1 - H(p' x + p' Y ) - H(p' z + p' Y ). (33) 
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Note that we have ignored the mutual information between the bit and phase errors for 
simplicity of analyses. For the single-photon case of SARG04, the initial state is px = e^ — a, 
Pz = §65 — a,, Py = a, where Alice and Bob can estimate e& but not a. Thus, for the purpose 
of determining the highest tolerable bit error rate, we consider the worst-case value of a for 
a given e& and a given sequence such that the initial state with this value will lead to the 
smallest key generation rate. A proof of this for BB84 was given in j^j]. Here we adapt 
their proof to SARG04 and have the following theorem: 

Theorem 3. For an initial state of px = e& — a, pz = ^e^ — a, py = a, where £ G R > 1 
is some constant, the key generation rate as given in Eq. \3'J\) is an increasing function of a 
for a fixed and a fixed sequence of B steps and P steps starting with a B step, under the 
following conditions: 

(i) eh < 2(i+1) ^ ™ va ^d range, and 

(ii) e b < ^. 

Proof. See Appendix |Bj □ 

Note that Theorem El is a simple generalization of the result in Appendix III of |28]. For 
the single-photon case, we apply Theorem |3] with £ = |. Given the valid range of a being 
[eft/2, e&], we have the following: 

Corollary 1. The worst-case for single-photon SARG04 is a = y . 

We have written a simple computer program in Mathematica to calculate the evolution of 
the diagonal elements of the marginal density matrix of the EPR pairs shared by Alice and 
Bob under sequences of B and P steps using Eqs. (|2^ |) - (j2^|) . With a = y, we exhaustively 
searched for the step sequence with 15 B/P steps or less that can tolerate the highest bit 
error rate. For each sequence, we searched for the highest initial value of e& that gives rise to 
a positive key generation rate given by Eq. (jHSJ)- We conclude that e b = 19.9% is tolerable 
with nine B steps. We can easily check that this value of eb satisfies the two conditions 
of Theorem El Since in each B step, Alice and Bob discard at least half of the EPR pairs 
that have survived so far, a protocol with nine B steps leaves only a small number of EPR 
pairs at the end of the protocol. Thus, a sequence with nine B steps may not be efficient in 
practice. Therefore, we consider the highest tolerable bit error rates with various maximum 
numbers of steps allowed, as shown in Fig. As can be seen, even a protocol with two B 
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FIG. 5: The highest tolerable bit error rates with various maximum number of B or P steps 
allowed. It turns out only B steps are used in all cases to achieve the highest bit error rates. Even 
when a small number of B steps is used, the tolerable bit error rate increase quite substantially 
compared to the case where no B step is used. Note that only up to 9 (6) steps are plotted for the 
single-photon (two-photon) case since sequences with more steps are less optimal. 

steps is able to tolerate a bit error rate of 16.1%, which is a great improvement from that 
of one-way protocols (10.95% from [hoi l^). 

We now consider two-photon SARG04, whose density matrix satisfies Eq. (II Oj) . Since 
Pz < x^b + g(x) — cl, Vx, we can minimize the right-hand side over x to find the worst-case 
pz- Substituting in the minimizing x gives us the initial state 



Px 

Pz 
Py 



eft — a 
1 1 
2 
a 
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1 - 3e b ) + 
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where < a < e^. Since pz can be written as pz = — a for some £ > 1 and for a fixed 
e^, we can invoke Theorem El to arrive at the following: 

Corollary 2. The worst-case for two-photon SARG04 is a = 0. 

In the worst case, we found that e& = 6.56% is tolerable with six B steps for two- 
photon SARG04. This is greater than the tolerable bit error rate of 2.71% using one-way 
communications Q]. The highest tolerable bit error rates with various maximum numbers 
of steps allowed for the two-photon is also shown in Fig. 03 As can be seen, even when a 
smaller number of B steps is used, the tolerable bit error rate increase quite substantially 
compared to the case where no B step is used. 

The steps for the SARG04 protocol with a ^-photon source iy = 1,2) involving B steps 
are similar to the one-way SARG04 protocol in Section III Bl and are as follows: 

1-6. Same as that in one-way SARG04. 

7. B step: Alice randomly divides the bits into pairs and informs this to Bob. They 
separately compute the parity for each pair and compare their results with each other. 
If they have the same parity for a pair, they keep one bit and discard the other bit of 
the pair; otherwise, both bits are discarded. This step is repeated as many times as 
needed. 

8. They perform bit error correction and privacy amplification on the remaining bit string 
using the revised bit error rate. 



B. Upper bounds with two-way communications 

An upper bound for single-photon SARG04 with one-way communications was provided 
in (2^]. This upper bound of 14.9% is lower than our lower bound of 19.9% with two- 
way communications. In other words, as far as the single-photon component is concerned, 
SARG04 with two-way classical communications can tolerate a higher bit error rate than 
SARG04 with only one-way classical communications. A similar behaviour was previously 
found in BB84 (28 1. Here, we will investigate the upper bound with two-way communications 
for both single-photon and two-photon in SARG04. 
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To arrive at an upper bound, we note that security cannot be established between Alice 
and Bob if there is no entanglement shared between them j^J . Specifically, when the density 
matrix of Alice and Bob is separable, i.e. p^g = Yli PA,i®PB,i, then there is no entanglement. 
One result from BDSW is that, for a bipartite state with a density matrix of the form 

p = Pl |$+}($ + |+p 2 |$-}($-|+p 3 |^ + )(^ + |+j94|^)(^^|, (35) 

if none of the probabilities pi, . . . , p± is greater than |, then p can be written as a mixture of 
separable states and thus no entanglement exists. Using this idea, we may find the bit error 
rate with which the Bell diagonal elements of our density matrices of SARG04 in Eq. Q and 
Eq. (flT)|) are all no greater than |. We may imagine e& to be small initially, in which case pi 
is close to unity and px, Py, and, pz are close to zero. Then, we gradually increase e& until 
Pi goes down to \. Although the BDSW idea applies only to Bell-diagonal density matrix 
and our density matrices may not be Bell diagonal, we can still apply the BDSW idea to 
our case since whether the off-diagonal terms are zero or not has no bearing on the B steps, 
the P steps, the CSS error correction, and the CSS privacy amplification in our protocol. In 
other words, our entanglement distillation method does not extract entanglement from the 
off-diagonal terms. Thus, we may safely regard our density matrices as Bell-diagonal. 

For single-photon SARG04, setting pi = \ gives = § + ■ Given the valid range of a, 
this suggests that is between | and |. Eve would like to cause the error rate as low as 
possible. But she may not be able to choose a freely to induce an error rate of 1/4, since a 
is an parameter influenced by her and is not in her complete control in any attack strategy 
by her. Thus, without any reference to a specific attack strategy, the value of a (and the 
upper bound on e^) cannot be specified. Therefore, we focus on specific intercept-and-resend 
strategies to determine specific values of a and an upper bound on e^. 

In an intercept-and-resend attack, Eve captures and measures the photon sent by Alice to 
Bob. She then sends another photon with the polarization depending on the measurement 
result to Bob. Certainly, no entanglement exists between Alice and Bob, since Bob's photon 
was created by Eve. In a simple intercept-and-resend attack, Eve performs a photon polar- 
ization measurement with a basis randomly chosen from two bases. The first basis consists 
of \(po) and ^2)1 while the second consists of and |^ 3 ) . After the measurement, Eve 
sends the resultant state to Bob. This particular attack causes an error rate of |. The fact 
that this is at the high end of the range [j, |] prompts us to search for a more sophisticated 
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intercept-and-resend attack. 

Definition 3 (General POVM attack). A general POVM attack is an individual 
intercept-and-resend attack by Eve who captures every transmission from Alice (each which 
may consist of one or more photons), performs an arbitrary POVM measurement on each 
transmission independently, and sends an arbitrary state to Bob depending on the mea- 
surement outcome. The POVM is arbitrary and can be represented by J + 1 elements, 
{M vac , Mj, i — [0, . . . , J — 1]}, with M vac + Mj = I. For the outcome corresponding to 
M vac , Eve sends vacuum to Bob, whereas, for outcome i, she sends an arbitrary state |<7j) 
to Bob. 

We consider Eve launching such a general POVM attack for the SARG04 one-photon 
case and two-photon case. We want to optimize over M vac , Mi, and |<Tj) so that Eve induces 
the lowest possible bit error rate, hoping to achieve a rate smaller than 1/3 caused by the 
simple attack described above for the one-photon case. Unfortunately, for the one-photon 
case, even with such a great freedom to choose the POVM and the states sent, this attack 
cannot do better than the simple attack. 

Theorem 4. For single-photon SARG04, the smallest bit error rate e h caused by Eve using 
a general POVM attack is ~. 

Proof. See Appendix O D 

On the other hand, for two-photon SARG04, it is not trivial to consider intercept-and- 
resend attack and thus we only consider a general POVM attack. 

Theorem 5. For two-photon SARG04, the smallest bit error rate e& caused by Eve using a 
general POVM attack is '^fi « 22.65%. Moreover, a POVM that gives rise to this minimum 
bit error rate is 

M m = P(A+ \<f m ) \ip m ) + A_ \ip m +2) |VW2)) , m = 0, . . . , 3 (36) 
M vac = P(\<p ) M ~ M \<Po))/2 (37) 
= P(\p 3 ) - |^ 3 »/2 (38) 

where A± = (±2 + s/2)/A, P(|$)) = |$) ($| is a projection operator associated with a pure 
state |$), and the subscript in y? m ,+2 is taken in modulo 4. Eve sends \<p m ) to Bob when the 
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measurement outcome is m G [0,3]. Note that M vac never occurs, since the four states sent 
by Alice, \<p m ) \<fi m ) i m e [0,3], are orthogonal to the state M vac projects onto. 

Proof. See Appendix O □ 
C. Comparison with BB84 in depolarizing channels 

We compare the lower and upper bounds with two-way communications of SARG04 
and of BB84 by assuming that the eavesdropping is realized by a depolarizing channel. 
A depolarizing channel evolves an ^-photon input p® u to (1 — y)p®^ + y(//2)® 1 ' with a 
depolarizing rate p. For SARG04, the depolarizing rate p is related to the bit error rate e& by 
e& = 4p/ (3 + Ap), whereas, for BB84, e& = 2p/3. Using these formulas, we see that SARG04 
is secure up to p ~ 18.6% for one-photon and p ~ 5.27% for two-photon, and BB84 is secure 
up to p pa 28.35% 2|J with two-way communications. For the upper bounds, SARG04 is 
insecure beyond p = 3/8 for one-photon and p = 3(2 — v^2)/8 ~ 22.0% for two-photon, and 
BB84 is insecure beyond p = 3/8 28]. 

V. SARG04 WITH REALISTIC SOURCES USING DECOY 

With a realistic phase-randomized laser source, the output pulses are classical mixtures 
of the photon number states with a Poisson distribution. In this section, we consider using 
the decoy method of Q] to operate SARG04 securely with a realistic source. With this 
particular decoy method, the mean photon number of the laser source when emitting the 
decoy states varies over infinitely many values, in order to estimate the statistics for the 
dec 0y states. W„ lb in Q a^zed practica! deco y scWes with o,d y a 

few decoy states. Here, we consider applying the infinite-decoy idea to SARG04 for the 
simplicity of analyses. 

The steps for the SARG04 protocol with decoy states follows: 

1. Alice randomly chooses the locations of the decoy states and the signal states. 

2. For the decoy states, Alice adjusts the power of the laser to have a random mean- 
photon number \i and she records this value of /i. For signal states, Alice operates the 
laser at a fixed mean-photon number. 
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3. 



Alice randomly chooses one of the four sets and sends one of the two states in the set 
to Bob. 



4. Bob performs the polarization measurement using one of the two bases randomly. If 
his detector fails to click, then he broadcasts this fact, and Alice and Bob discard all 
the corresponding data. 

5. Alice announces the sets of states for both decoy and signal states to Bob. She also 
announces the locations of the decoy states, their values of /i, and their states. 

6. Bob, based on the information on the sets of states, broadcasts which bits are conclu- 
sive or not. 

7. For all the decoy states having the same fi, Bob estimates by taking the ratio of 
the number of conclusive events to the total number of conclusive, inconclusive, and 
no-detection events. He estimates by taking the ratio of the number of incorrect 
conclusive events to the total number of conclusive events. 

8. Bob then estimates e\ and €2 based on Q^s and E^s over all values of /i's. 

9. If both of ei and €2 are too high, they abort the protocol. 

10. Alice and Bob discard all events concerned with inconclusive and all decoy states. 

11. They perform bit error correction on the remaining bit string and apply privacy am- 
plification. 

In this section, we analyze the key generation rate of this protocol under the same sit- 
uation as was considered in Q], in which (i) the source is a phase randomized coherent 
source, (ii) there is loss in the optical fiber, (iii) Bob's detection is not completely efficient 
in declaring a detection event, (iv) there are dark counts, and (v) there is misalignment in 
Bob's detector. We first develop a specific detector error model for SARG04, which is then 
be used to formulate the yield and the error rate equations for SARG04. With the yields 
and the error rates, we can compute the achievable key-generation rates. 
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A. Model for detector errors in SARG04 



We consider a specific error model for detections in SARG04. We have chosen this model 
because it is also a simple model for explaining errors in BB84 and thus would provide a 
reasonable performance comparison with BB84. In the decoy paper for BB84 , they used 
the Gobby- Yuan-Shields (GYS) 0| experimental results to characterize the probability of 
detector error in BB84, denoted by edetector- The value of this probability is specific to 
the setup in the GYS experiment which is for BB84. Although an experimental setup for 
SARG04 might be the same as that for BB84 (since their quantum phases are the same), 
their interpretations of errors are different and thus there is no reason to believe that the 
error probabilities describing both setups are exactly the same. Nevertheless, in order to 
facilitate a reasonable comparison between SARG04 and BB84, we attribute the probability 
of detector error to a rotation of the detector by a small angle. Specifically, we model the 
misalignment of the detectors by a rotation of angle 9 in the two projection measurements 
at Bob's side. Using the same model for both SARG04 and BB84, we can compare their 
results on a common ground. For SARG04, we can calculate the probabilities of getting the 
inconclusive, incorrect, and correct outcomes for each of the four bases. For example, Fig. El 
shows the calculation for the basis {*-*, /*}. In the end, we conclude that given a successful 
detection event at Bob's detector, Pr {conclusive] = sm ^ + i Pr{incorrect} = sm J- } ; 
and Pr {correct} = \. For BB84, the probability of detection error can easily be seen to 
be sin 2 (6 l ). Similarly, we perform the same calculations when Bob detects a vacuum state 
and a dark count occurs. We arrive at Pr {inconclusive} = 1/2, Pr{correct} = 1/4, and 
Pr {incorrect} = 1/4. These probabilities are used later in the calculations of the yields and 
the bit error rates for SARG04. 



B. Key generation rate using decoy 

Recall that the key generation rate for SARG04 with decoy is 

i? SA RG04 > -QpfiEjHsiEj +Qi[l- H^ZxlXx)] + Q 2 [l - H 2 (e Pj2 )\, (39) 

where the subscript \i denotes the mean photon number for the signal states, is the gain 
of the signal states, is the QBER of the signal states, Qj and e p j, (j = 1, 2) are the gains 
and the phase error rates of the single-photon states (j = 1) and the two-photon states 
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FIG. 6: Calculation of measurement probabilities with misalignment of the detectors for the basis 
{<->,/*}. The misalignment is modeled by a rotation of the two measurement bases, 9. For this 
basis, the conclusive results are £ and \. 

(j = 2), Zi and Xi are random variables characterizing the phase and bit errors for the 
single-photon states (see Section |H] for definition), f(x) is the error correction efficiency as 
a function of error rate, and H2(x) is the binary entropy function. 

We note that both single-photon states and two-photon states have positive contributions 
to the key generation rate, in contrast to BB84, the key generation rate of which has only 
the single-photon-state contribution. Also, since there is mutual information between the 
bit and phase errors for the single-photon case, we have included this contribution to the 
key generation in Eq. (}39|) . The parameters and in Eq. (}39|) can be estimated through 
public communications. The phase error rates e Pi i and e Pi 2 can be estimated respectively 
from the bit error rates e\ and €2 (using the relations in Eq. and Eq. (P"Uj) with the 
worst-case values of a = e\/2 and a = respectively). The bit error rates e\ and e2, along 
with Qi and Q2, can in turn be estimated using the decoy state idea. In what follows, we 
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derive the formulas for these parameters for SARG04, and thus, using these parameters, we 
can determine the key generation rate using Eq. tj39j) . 



C. Yields and bit error rates 



We now determine the yields and the bit error rates of the transmitted qubits for SARG04. 
Using the definition of the yield in Eq. (|14|). the yield for SARG04 is 
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(40) 
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where edetector = sin 2 (6*). The fraction of | corresponds to the probability of getting a 
conclusive result. Compared to the yield for BB84 in Eq. (|20|). we see that the yield stemmed 
from the signal for SARG04 is approximately half of that for BB84. On the other hand, the 
yields stemmed from the dark count are the same for SARG04 and BB84. Similarly, for the 
bit error rate, 

r 
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Thus, the overall gain and the overall QBER for the coherent state \y/]T) are, respectively, 
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4™~ 2 

Using these formulas for the error rates and the gains, we can compute the key generation 
rate for SARG04 with one-way decoy using Eq. (jHEJ). 



D. Simulations 

Fig. [7] compares the key generation rates of SARG04 and BB84, both using the one-way 
infinite-decoy method. For this simulation, we take f(E,,) = 1.22 for simplicity and use the 
parameters from the experiments by Gobby et al. |30( as shown in Table |HJ We assumed 
that the detectors in both cases are rotated by the same angle in our model. The optimal 
mean photon numbers, /x, for SARG04 and BB84 are used at all distances. Two curves of 
SARG04 using decoy are plotted, one with both single- and two-photon contributions and 
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FIG. 7: Simulation using the GYS parameters listed in Table [H] and f(E^) = 1.22, for both 
SARG04 and BB84. We compare the key generation rates of SARG04 and BB84 using decoy 
states (solid curves) and without using decoy states (dashed curves). The optimal mean photon 
numbers, fi, for all curves are used at all distances. Two curves of SARG04 using decoy are 
plotted, one with both single- and two-photon contributions and the other with only single-photon 
contributions. Also, curves of single-photon SARG04 and of BB84 using GLLP without decoy are 
plotted. The maximal secure distance is 97.2km for SARG04 and 141.8km for BB84. However, the 
upper bounds for SARG04 and for BB84 are exactly the same, namely, 207.68 km. 

the other with only single-photon contributions. Comparing these two curves, it can be 
seen that the two-photon part has a small contribution to the key generation rates at all 
distances. Also, curves of single-photon SARG04 and of BB84 using GLLP without decoy 
are plotted. We see that, by using decoy, higher key generation rates and longer secure 
distance can be achieved. A similar behaviour for BB84 was shown in jlp| . We note that 
the key generation rate for BB84 with GLLP in Fig. 1 of is smaller than ours. This 
is because we used the optimal \i for all distances in Fig. [7| while /j, proportional to rj was 
used in jl^. The maximal secure distance for SARG04 using decoy is 97.2km, compared 
to 141.8km for BB84. The upper bound of the distance in SARG04 can be determined by 
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Wavelength [nm] 


a [dB/km] 


VBob 


^■detector 


Pdark 


1550 


0.21 


4.5% 


3.3% 


1.7 x 10~ 6 



TABLE II: Simulation parameters from Gobby- Yuan-Shields (GYS) experiments 



Q. 



finding the distances corresponding to ei = | and to t2 = 0.2265; they are, respectively, 
207.68 km and 201.43 km. Thus, the upper bound of the distance is 207.68 km, at which 
the two-photon part is not secure but the single-photon part is. Interestingly, this bound of 
207.68 km is exactly the same as the upper bound for BB84 Q]. It can be shown analytically 
that setting e\ — | for the SARG04 case and setting — \ for the BB84 case both give the 

same formula for 7/1, specifically, rji = t— - — Pdarfc . (The formulas for e n and Y n of BB84 

are of course different from that of SARG04.) The optimal /x's for achieving the highest key 
generation rate at each distance for SARG04 and BB84 using decoy are plotted in Fig. |H1 
We can see that, when the misalignment of the detector is large (i.e. large edetector), the 
optimal mean photon number for BB84 is higher than that of SARG04. On the other hand, 
when the misalignment is small, the optimal \x of SARG04 is higher at short and medium 
distances. In addition, the optimal \x of SARG04 can be higher than one in this case. This 
is reasonable since at short or medium distances, the bit error rate is not high and thus 
the key contribution from the two-photon part in SARG04 is relatively high; on the other 
hand, at long distances, the two-photon contribution is relatively small. Since the optimal 
yU for SARG04 and BB84 is approximately constant for a large range of distances, the key 
generation rates for both of SARG04 and BB84 are in the order of O (n) . 

Fig. El shows the simulation using the parameters from Fig. 4 of |22j . Our result shows 
that, under our assumption that Eve may perform the most general attack, BB84 is able to 
achieve both a higher secret key rate and a greater secure distance than SARG04, whereas, 



under the assumption considered by [22j that Eve may only perform incoherent attacks, 
they observed the reverse phenomenon in Fig. 4 of their paper (i.e. SARG04 has a higher 
key rate and greater distance than BB84). Another difference between our result and that 
of |22j is that we also consider contributions from the two- photon part. 

In both Figs. [7| and EJ there are gaps between the one-photon SARG04 curves and the 
BB84 curves whether or not decoy is used. These gaps are mainly due to the decrease in 
the gain Q n and the increase in the bit error rate e n in SARG04 relative to BB84. We 
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FIG. 8: The optimal //'s for achieving the highest key generation rate at each distance for SARG04 
using Eq. (j!3j) and for BB84 using Eq. (j!2j) . Three sets of parameters are plotted. The bottom 
two, middle two, and top two curves for BB84 and SARG04 used the same parameters except 
for edetector (which are 0.033, 0.01, and 0.0001, respectively). The other common parameters are 
listed in Table UTI and /(E^) = 1.22. When the misalignment of the detector is large (i.e. large 
edetector) as i n the bottom two curves, BB84 uses a laser with a higher optimal mean photon number 
than SARG04. When the misalignment becomes smaller as in the top two curves, the situation is 
reversed; SARG04 operates optimally with a higher \i than BB84 does. Also, note that the optimal 
[i for SARG04 can be higher than one. 

can see this as follows. By comparing the yields of SARG04 in Eq. (f4"U|) and of BB84 in 
Eq. (j2nj), in both the case of a large edetector (i-e. r] n e de tector > (1 - Vn)Pdark, corresponding 
to Figs.EJ) and the case of edetector = (corresponding to Figs. EJ), we can see that the yields 
in SARG04 is about half of that in BB84; this means that Q n in SARG04 is also about half 
of that in BB84. Similarly, by comparing the bit error rates of SARG04 in Eq. (|41|) and of 
BB84 in Eq. (|21jl. we can see that e n in SARG04 is about twice of that in BB84 for both 
figures; this means that the amount of privacy amplification needed for the one-photon part 
of SARG04 is higher than that for BB84 (even when the mutual information between the bit 
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FIG. 9 



Simulation using a = 0.25, T] Bo b = 0.1, e detector = 0, p dar k = 10 5 (from |22|), and 
1, for both SARG04 and BB84. We compare the key generation rates of SARG04 and 
BB84 using decoy states (solid curves) and without using decoy states (dashed curves). The optimal 
mean photon numbers, fj,, all curves are used at all distance. Two curves of SARG04 using decoy 
are plotted, one with both single- and two-photon contributions and the other with only single- 
photon contributions. Also, curves of single-photon SARG04 and of BB84 using GLLP without 
decoy are plotted. 

and phase errors in one-photon SARG04 is taken into account). From the key generation 
rate equations in Eq. (JT2j) and Eq. (|13|). the decrease in Q n and the increase in e n both 
reduce the key generation rate of one-photon SARG04 relative to BB84, whether or not 
decoy is used. Furthermore, based on our simulations, we observe that the gap between 
SARG04 and BB84 decreases as edetector decreases. 

VI. SUMMARY AND CONCLUDING REMARKS 



We have provided lower and upper bounds on the bit error rates for SARG04 with two- 
way classical communications. Both the single-photon part and the two-photon part were 
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considered. For the single-photon part, we have shown that SARG04 with two-way commu- 
nications can tolerate a higher bit error rate than SARG04 with one-way communications. 
However, it does not mean that for some smaller bit error rate, two-way SARG04 protocol 
has higher key generation rate than the one-way version. 

The upper bounds were found by considering a general intercept-and-resend attack by 
Eve. In this attack, she performs an arbitrary POVM and sends arbitrary states to Bob 
according to the measurement outcome. For the one-photon case, we have shown that such 
generality in her attack does not offer any advantage over a simple intercept-and-resend 
attack where she only performs measurement and sends the measurement results to Bob. 

We have also studied SARG04 with a coherent source using the decoy-state method 
to achieve unconditional security. The key generation rate is significantly improved by 
combining the GLLP and the decoy-state ideas compared to the non-decoy protocols. This 
improved key rate for SARG04 is given by 3] 

#sahgo4 = -Q il f{E^)H 2 {E ll ) + Qi[l - H(Z 1 \X 1 )] + Q 2 [l - H(Z 2 \X 2 )}. (44) 

The first term is the fraction of EPR pairs spent for bit error correction, the second term 
is the contribution to the key rate from the single-photon states, and the third term is the 
contribution from the two-photon states. In all our simulations, we found that SARG04 
has a smaller key generation rate and a shorter secure distance than BB84, using the com- 
bined GLLP and decoy formulation. Our results apply to the case where Eve performs the 
most general attack. This situation is different from that in Q, where they assumed that 
Eve performs an individual attack. We have shown that optimal mean photon number for 
SARG04 can be higher than that of BB84 for small misalignment errors in the detectors. 
Also, we observed that the optimal /i for SARG04 and BB84 is approximately constant for a 
large of distances. This means that the key generation rates for both of SARG04 and BB84 
increase linearly with the transmission efficiency 77. 

It is interesting to generalize our formulation of SARG04 with infinite decoys to the case 
of finite decoys, and to the case of using two-way classical communications with decoy. Also, 
our work can be extended to generalizations of SARG04, the six-state SARG04 and the 



iV-state protocol 



3- 



We leave them for future studies. 
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APPENDIX A: DENSITY MATRICES OF ONE- AND TWO-PHOTON SARG04 



1. One-photon case 

We consider the most general attack by Eve on all qubits sent by Alice. We focus on 
the density matrix of one qubit, denoted as p qu bit, which is obtained by tracing out all 
other qubits. Alice initially prepares 1^)^ = (|0 Z ) A \<Po) B + \^z)a Iv^bVv^ and applies 
a random rotation, R k , on system B. After Eve's attack and Bob's inverse rotation and 
successful filtering, the final qubit pair state for a particular pair is 

/Vbit = jy£P{{FBT h EWl&) B \*) AB ) (Al) 

fc=0 / 

where P(|$)) = |$) ($| is a projection operator associated with a pure state |$), and E^ 
is an arbitrary matrix indexed by / that includes Eve's action on this qubit. Note that E^ 
can be dependent on Eve's action on all the other pairs. For the moment, we consider the 
case that there is only one action by Eve (i.e. / takes on one value). The (unnormalized) 
probability of A, Y, and Z errors on p qu bit due to E can be explicitly computed using Eq. (J2J) 
as follows: 

Pi = -\au + a 22 | 2 (A2) 
Px = ^Oi2 + «2i| 2 + \au ~ a22| 2 ) (A3) 
Py = ^((5a i2 - 3a 2 i)a^ 2 + (-3a i2 + 5a 2 i)a2i + l a n ~ a 22| 2 ) (A4) 
Pz = (|«i2 1 2 + |«2i| 2 ) + 2(l a " - a 22| 2 ) (A5) 

(an &12 \ 
. The bit error probability is put — Px + Py an d the phase error 
a 21 a 22 I 

probability is p p h aS e = Pz + Py- It can easily be shown that 

Pphase = T^Pbit (A6) 

Py = Put/2 + \a 12 - a 2 i\ 2 /2 (A7) 

Note that the above equations involve the error probabilities of the particular pair conditioned 
on any configurations of the events including X, Y, and Z errors for all the other pairs, but 
not the actual error rate of a realization of the protocol. In an actual protocol, the actual 
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bit error rate e& is estimated and we want to relate it to the actual phase error rate e p and 
also to the actual Y error rate a (which is the counterpart of py)- However, we may not 
immediately conclude that e p = |eb and a > e b /2 since Pi/x/y/z are only the probabilities 
of errors conditional on the events for other pairs; the errors of all the EPR pairs could be 
arbitrarily correlated. Nevertheless, both e p = \e b and a > e b /2 can be justified by using 
Azuma's inequality 2^1 . Let N be the number of EPR pairs, L = {I , X,Y, Z} be a label 
for a Pauli operator, n^,l G [1, A] be the actual number of L errors on the first I — 1 
pairs, and be the probability of having an L error on the Z th pair conditional on any 
configuration of the events including the actual X/Y/Z error patterns on the first / — 1 pairs. 
Note that we can identify to p^. Applying Azuma's inequality to the random variable 
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- Y2iLiPl j one can show that Y2^LiPl ~^ n L with exponentially increasing probability 
as N increases. Thus, after the bit error rate estimation, Alice and Bob perceive that 
fractions e& — a, 3e;,/2 — a, and a of EPR pairs suffer from X, Z, and Y errors respectively. 
They can associate this information with a density matrix to arrive at Eq. ©. A similar 
security analysis can be found in 3^|. 



2. Two-photon case 

In the two-photon case, Alice prepares a three-photon system \^)abei = 
(\®z)a IVo)b \ l Po)ei + 1 1*) a I < / 7 i)b I < / ? i)ei)/v2 and applies a random rotation, R k (g> R k , on 
systems B and El. System B is sent to Bob through Eve while system El is kept by Eve. 
We analyze this case in the same as in the one-photon case. We obtain p qu ut by tracing 
out all other EPR pairs and system El of the pair under consideration and we arrive at 
e p < xe b + g(x),Vx, where g(x) = |(3 — 2x + \/ 6 — Qy/2x + Ax 2 ). In this case, we could not 
find any constraint on the actual fraction of Y errors, a. This means e& > a > 0. 



APPENDIX B: PROOF OF THEOREM H 

Given two initial states {px a ,PY a ,Pz a ) = (e b ~ a a ,a a ,£e b - a a ) and (px^Py^Pz^) = 
(e& — ap, ap, — ap) where ap > a a , we apply the same sequence of B/P steps starting with 
a B step to the two initial states, thus giving rise to two sequences of states (the a sequence 
and the (3 sequence). We want to show that the final state of the a sequence leads to a 
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smaller key generation rate in Eq. ()33j) than that of the (5 sequence. This implies that the 
key generation rate is an increasing function of a. 

Starting with a pool of EPR pairs with state {px,Py,Pz), applying a B step leads to 
a smaller set of surviving pairs with a new state {p'xiP'yiP'z) described by Eqs. ([22j ) -(|25j h 
Similarly, beginning with (px,PY,Pz), a P step leads to a new state described by Eqs. (J2"6jl - 

(Enj). 

We apply a change of variables: 

tz = Px+Py (Bl) 
tx = Py+ Pz (B2) 
A = Pz-Py- (B3) 

We start with the hypothesis that in any stage of the a and f3 sequences, tz = tz a > t Xp < 
t Xa , and A/3 < A a . If this is true and if t Xa < \, the key generation rate, 1—H 2 (tz)—H 2 (tx), 
at any stage of the a sequence is smaller and Theorem El follows. 

First, we can verify that the hypothesis is true initially by noticing that tz = tz a = e&, 
tx,3 = t Xa = & b and A^ = £e b - 2a p < A a = £e b - 2a a . 

Next, we show that given the hypothesis is true for the current stage, it is also true for 
the next stage when a B step is applied. In the new variables, the new state after a B step 
becomes 

t'z = t 2 z /ps (B4) 
t'x = [tx -t 2 x + A(l - 2t z - A)]/p s (B5) 
A' = [t x {l - 2t z ) + A(l - 2t x )]/ps (B6) 
p s = l-2t z + 2t 2 z . (B7) 

Given that tx 3 < t Xa and A^ < A a , we express the state of sequence (3 in terms of that of 
sequence a: 

t' Zfj = t' Za (B8) 
t'x, = t' Xa - [t Xa _ (l - 2t Xa + t Xa _ fj ) + A Q _^(1 - 2t Z(j - A a - Ap)]/p s (B9) 
A' p = A' a - [t Xa _ (l - 2t Zfj - 2A P ) + A a ^(l - 2t Xa )]/ps (BIO) 
p s = l-2t z + 2t%, (Bll) 
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where tx a _ p = tx a — tx« > and A a _p = A a — A^ > 0. Obviously, the hypothesis for the 
primed variables is true if (1 — 2tz — 2A) > 0, tx < |, and tz < § at any stage of the a and 
/? sequence. We will show the first inequality later and impose the last two inequalities as 
condition (ii) of the theorem. 

We consider the new state after a P step is applied and show that the hypothesis is also 
true for this new state. The new state after a P step is 

t' z = 3t z (l-t z ) 2 + t 3 z (B12) 
t! x = 3t 2 x (l-t x )+t x (B13) 
A' = 3A 2 (1 - 2t z - A) + A 3 . (B14) 

It is obvious that t' x increases with tx, which implies that tf x < t' Xa . Also, A' increases 
with A provided that (1 - 2t z - A) > and A > 0, which implies that A' p < A' a . The first 
inequality is satisfied if (1 — 2tz — 2 A) > 0, which will be shown later. We first show that 
A > 0. 

Claim 1. After the initial B step, or after any B/P step that follows, A > holds. 
Proof. Before the initial B step is applied, we have 

A = £e b - 2a (B15) 

> ie b - 2e b (B16) 

> -e b , (B17) 



where the last inequality is due to £ > 1. After the initial B step, from Eq. (jB6|) . we have 
A' > if the following condition is satisfied: 

A > -^ (1 ~ 2eb) . (B18) 

Since the right-hand side is smaller than — e&, this condition is satisfied after the first B step, 
which means that A' > after the first B step. Furthermore, from Eq. (|B6|) and Eq. (jB14|) . 
we conclude that A' > after any B step or P step following the initial B step. □ 

Claim 2. 1 — 2tz — 2 A > always holds if e b < 2 (j+|) (which is condition (i) of the 
Theorem). 
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Proof. Before the initial B step, we can easily see 

1 - 2t z - 2A = 1 - 2(1 + £)e b + 4a > (B19) 

because e& < 2 (i+|) • After a B step, 

1 - 2t' z - 2A' = 1 - [2t| + 2t x (l - 2t z ) + 2A(1 - 2t x )]/p s (B20) 
= (1 - 2t z - 2A)(1 - 2i x )/p Sj (B21) 

which is non-negative when 1 — 2t z — 2 A > 0. 
After a P step, 

1-24 = (1 - 2t z f (B22) 

so 

1 - 2t' z - 2A' = (1 - 2t z f - 6A 2 (1 - 2t z ) + 4A 3 (B23) 
= (1 - 2t z - 2A)[(1 - 2t z ) 2 + 2A(1 - 2t z - A)]. (B24) 

which is non- negative when 1 — 2t z — 2 A > and A > 0. □ 



APPENDIX C: PROOF OF THEOREM H AND THEOREM E 

In this appendix, we will prove that a general POVM attack by Eve induces a bit error 
rate of at least | for the single-photon case. To do this, we will first consider a special case 
of this attack where Eve always sends only SARG04 states to Bob. Then building on the 
proof of this special case, we will show that the minimum bit error rate is | for the general 
POVM attack where Eve sends arbitrary states to Bob. At last, we will generalize the proof 
to the case of two photons, showing that it is possible to derive the minimum bit error rate 
even for this case. 

Before we begin, we note that R 4 = I. This allows us to adopt the following notation: 

\if m+k ) = R- m \ip k )^m,keZ (CI) 
where the subscripts of the SARG04 states are taken in module 4. 
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FIG. 10: A POVM attack by Eve realized by U B e 1 e 2 - 
1. Eve sending SARG04 states 

A block diagram showing an attack by Eve is depicted in Fig. First, Alice prepares 
a bipartite entangled state \^) AEl = \®z)a ly^o)^ + 1 1^)^ l^i)^- After randomly applying a 
rotation R k , she sends the E\ qubit to Eve, who will then perform a POVM {W^W^j} on 
Ei, which is realized by an unitary operator Ube 1 e 2 - When the measurement result is m, 
Eve sends a state \<p m ) B to Bob. We will obtain the density matrix of Alice and Bob pab 
and minimize the bit error rate [Tr(pAB)]~ 1 [(^ + \ Pab |^ + ) + (^ _ | Pab |^ _ )] over W m 's. 

The input state transforms as follows: 



v 



R~ k F 



J2^® R k)^)A El \k)K 

k 

3 

E E^ ® (W m R k ) El ) \V) AEi \m) E2 \tp m ) B \k) 



K 



k m=0 
3 



E E [ \°')a ( w ^R k \vo) El ) + 1 1 *) a (w m R k M 



Ei 



(C2) 
(C3) 
(C4) 



k m=0 



m) E2 (FR- k \ Vm ) B )\k) 



B) I / K 



We then trace out systems Ei, E 2 , and K to get the final density matrix between Alice and 
Bob: 

3 3 

P AB = E E ( a ™°* I°->a (0-1 + <k \0m) a (U + < k %) A (0,1 + C \h) A (U ) (C5) 

k=0 m=0 

<S)F \<f m+k ) B (ip m +k\ F ] (C6) 
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where 



no 

ink 



| (0,| W m \<p_ k ) | 2 + I (1*1 W m \<p. k } | 2 (C7) 

<k = (0,1 W m \<p_ k ) (0,| W m \cp^ k )* + (1,| W m \<p_ k ) (1,| W m |v7i_*>* (C8) 

C = (O* (C9) 

ai! fc = I (0,| W m \<pi- k ) | 2 + | (1,| W m |^_ fc ) | 2 (CIO) 



Here, we have used the notation in Eq. (jCTJ). Note that pab is a separable density matrix 
as we have explicitly constructed it to be, and because of that, no entanglement exists and 
thus no secure key can be distilled. We can compute the unnormalized bit error rate px +Py 
as 

Px+Py = ab (0 z lz\ Pab\0 z 1z) ab + AB (lz0z\ Pab\1z0 z ) ab (Cll) 
= E a ™ fc 4 + E a ™^4 

k+m=0 k+m=\ 



+ E Kk\ + a^ (C12) 

fc+m=2 

+ E R^+^z) 



2 

k+m=3 



3 1 

EE^i^-^li^)> (ci3) 

m=0 j=0 



where 



- \<fl+m) (Vl+m| + (^2+ml + ^ 1^3+m) (y?3+m| • (C14) 

Since W m is some 2x2 matrix (not necessary Hermitian), the problem of finding W m is 
broken into finding two independent 1x2 vectors (0,| W m and {l z \ W m . 
In order to normalize the bit error rate, we find 

Tr(p AB ) = E 

ab {izjz \ Pab \iz3z) ab 

(C15) 

«,)6{0,1} 
3 1 



where 



m=Q j=0 



B m — — \(po +m ) (ipo +m \ + \<fi +m ) (ipi+r 



3 

+ - \<f2+m) (^2+ml + |^3+m) (y?3+m| • (C17) 



2 
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Therefore, the normalized bit error rate is 



Em=o E]=o 0*1 W m L m Wl \j z ) 

Cfe = 5 ; 1 (Ulo) 

ELoE,=o (Uw m B m wl\j z ) 

We want to minimize e over the eight independent 1x2 vectors (j z \ W m . At least one of 
the eight must be non-zero, otherwise all W m would be zero and there would be no qubits 
sent to Bob. Since e is not a sum of eight independent ratios, i.e. 

it may appear at first sight that the minimization of e D is not trivial. However, it turns 
out that we can minimize each ratio independently and set e& to be the smallest ratio by 
assigning zeros to the other seven vectors. We show this by the following claim: 

Claim 3. Given two ratios, ^ and ^,if s± < r 1 , then ^ < ^4^- 

Therefore, we consider separately minimizing each ratio, which can be written as 

(C20) 

where (cj m \ = (j z \W m Bm is a 1 x 2 vector. The minimizing cj m is the eigenvector of 

_ i _ i 

B m 2 L m Bm 2 corresponding to the minimum eigenvalue. The two eigenvalues are 0.6 and | 
for all m. Thus, the minimum e is \. A POVM {W^Wm} that is compatible with these 
eigenvectors is W^Wm = \<p m ) (f m \ /2, m = 0, . . . , 3, which is the trivial intercept-and-resend 
attack. 



{ c jm 


_l 

B m L 


i 

R 2 
m J ->rn 


Cjm) 







2. Eve sending arbitrary states 

Now, instead of sending the four SARG04 states \ipi) , i = 0, . . . , 3, we assume Eve sends 
any number, G, of arbitrary states. We label these states as \o~q) , g — 0, . . . , G — 1. For 
the sake of making the analysis of this case parallel to that of the previous case of sending 
SARG04 states, we associate three extra states (with certain symmetry) to each arbitrary 
state and we label all states as follows: 

|af), z = 0,. ..,3, g = 0,...,G-l. (C21) 
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We can view the states as divided into sets of four with a total of G sets. The % = states are 
the original arbitrary states and are called the representative states of its set; the i = 1, 2, 3 
states are the extra states introduced. The POVM elements {Wf Wf} corresponding to the 
states are also indexed in the same way. Along the same lines as the SARG04 states, we 
define the extra states to have a rotational symmetry that satisfies \a 9 m+k ) = R~ k |cr^) , Wg. 
This symmetry requirement makes the analysis much easier since it resembles the analysis 
for the case of sending SARG04 states. Note that the introduction of the three extra states 
in each set does not lose any generality, since if the extra states are not needed in the 
minimization of the bit error rate, their corresponding POVM elements will eventually be 
found to be zeros. 

The analysis of this case basically goes as before by replacing \ipi) with |of). The final 
normalized bit error rate is 

Eg=Q Em=0 Ej=Q (jz \ ^m^mWm \jz) (C00\ 

6b " eS eLo e)=o &i «^ b*> ' 

which has the same form as before but with different L-^s and B^'s. As before, both of 
them are weighted sums of the outer products of the SARG04 states, E*=i K im Wi+m) (<Pi+ m \- 
(«j m 's for B^ and L 9 m are different.) The difference is that now fti m 's are no longer constant, 
but dependent on the representative state of each set sent by Eve, |<7q). Thus, is also a 
function of this state. Since Claim El says that we can minimize each term of separately 
and since |<Tq) is arbitrary anyway, we only need to focus on Lq and Bq and minimize the 
eigenvalues of (Bq) 2 Lq(Bq) 2 (which correspond to the bit error rate). The two eigenvalues 
are 

' and (C23) 



4 - c 4 + c 

where |<Tq) = ooo \0 Z ) + aoi c = |^j§^^~p < 1- The minimum of the first eigenvalue 
is | at c = 1 and the second eigenvalue is in [0.5,0.6]. Therefore, we conclude that, for the 
one-photon SARG04 case, the minimum bit error rate caused by Eve using a general POVM 
intercept-and-resend attack with arbitrary states sent is |. Note that c = 1 corresponds 
to the phase difference between o"oo and <7oi being or it, under our specific choice of the 
SARG04 states. Also, the bit error rate of | can be achieved with any assignment of ooo 
and <7oi (of course, different assignments of them give rise to different POVM elements), as 
long as they are in phase or completely out of phase. 
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3. Two-photon case 



We can extend this proof to the two-photon SARG04 case easily. The initial state becomes 
I^)aei = \®z)a \ < Po < Po)e 1 + \^-z)a WiVi) ev as Alice emits two photons to Eve. Alice applies 
rotation R k ® R k to the two-qubit system E\ before it is sent to Eve. Eve then performs a 
POVM on E\ and, based on the measurement outcome, sends system B to Bob as before. 
The analysis for this case is the same as the one-photon case, with the change of E\ being 
a two-qubit system. Because of this change, the matrices W^, L 9 m1 and B^ in the analysis 
are subsequently changed to have dimension 4x4. Both L 9 m and B g m are enlarged by 
replacing every tensor product of the form \(p m ) (</? m | by \(p m f m ) (fmfm\, with no change 
to the corresponding coefficients. We can carry the same analysis as the single-photon case 
and arrive at the eigenvalues of (B®)~^ Lq(Bq)~^ to determine the bit error rate 2 . Because 
of the increased dimension in this case, we could not directly solve for the eigenvalues in 
terms of \(Tq). Instead, we parameterize the eigenvalues with two parameters, 8 Z , and 9 y , 
and plot the eigenvalues against these two parameters. These two parameters come from 
the fact that any state can be written as a rotation about the z-axis on \tpo) (which is not 
equal to \0 Z ) or \l z )) followed a rotation about the y-axis, i.e. |<7q) = R y {B y )R z {6 z ) 
Using this definition for |oq), we found, from plots of the eigenvalues as functions of 9 y and 
8 Z , that the eigenvalues are not dependent on 9 y and reach minimum when 9 Z = 0, tt. The 
minimum eigenvalue (and thus the minimum bit error rate) is ^fi « 22.65%. A POVM 
that gives rise to this minimum bit error rate is 

WlW m = P(A+ \(p m ) \<p m ) + A_ \<p m+2 ) |v?m+ 2 » , m = 0, . . . , 3 (C24) 
W^W^ = P(\<po) \ip 2 ) - \ip 2 ) \<p ))/2 (C25) 
= P(\ip 3 ) - |^> |^ 3 »/2 (C26) 

where A± = (±2 + V2)/4 and P(|$)) = |$) ($| is a projection operator associated with a 
pure state |$). Eve sends \<p m ) to Bob when the measurement outcome is m G [0,3]. Note 
that W^ c W vac never occurs, since the four states sent by Alice, \<p m ) \<p m ) ■, m £ [0,3], are 

2 Actually, the pseudo inverse of Bq is used since Bq (and Lq) has rank 3. The analysis is not affected since 
the nullspaces of Bq and Lq are the same. 
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orthogonal to the state W^ ac W VSlC projects onto. 
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